When Phishing Gets Physical: Physical Social Engineering Attacks

Thanks to the relentless onslaught of phishing, vishing, ransomware and other types of social engineering attacks, your users are the weak link in your network security. Awareness of this fact is growing, and more and more of our customers want to include social engineering testing of their “human network” as part of their overall information security plan.

Don't Get Hooked!

Phishing emails can appear in several different ways. Our 10 Tips for Detecting Phishing Emails infographic provides you with a cheatsheet of what to look for in unfamiliar emails. It's derived from our Cyber Security Awareness Education offering.

But while phishing and vishing tests are becoming more popular, physical social engineering attacks—where the attacker is standing right in front of your employees—are still flying “under the radar.” These in-person hacks are less common than remote or automated attacks, but they nevertheless happen frequently and can be devastatingly effective.

Physical Social Engineering Examples

Impersonating a third-party “IT guy” is a common physical social engineering tactic. The hacker shows up at a facility pretending to be a support IT technician who’s here to check on a printer, copier or other network-connected devices. In today’s “smart everything” world, many devices can “cry for help” to their maintainers via automated alerts, making these types of attacks highly plausible.

Recently I played the “IT guy” role in a physical social engineering test for a client. I walked up to the reception desk and claimed I was there to check on an automated alert that my hypothetical company had received from a network-connected printer. I suggested that the printer’s network card might be “going bad,” and offered a fake serial number and device number.

Usually, I get shooed away pretty quickly—which is what’s supposed to happen—because I don’t have an appointment at a specific time with a specific contact person. But in this case, the receptionist actually called a real IT guy, who came down to talk to me. He checked my bogus serial and device numbers against the asset tracking system before finally telling me, nonconfrontationally: “That device is not on our asset list for this site, maybe it is at another location.” Bravo, IT guy.

Had I done a bit of dumpster diving prior to my visit, I might’ve found legitimate devices and serial numbers on discarded boxes or packing slips. (In my days in IT I probably threw away hundreds of such boxes without a second thought.) If I had gained physical access to a network-connected device based on that information, I would’ve plugged in a rogue device to sniff the network traffic.

Who is Vulnerable to Social Engineering?

Every organization, no matter its size or industry, is a target for social engineering attacks. Educating employees on how these threats work, and having controls in place to mitigate them, are vital to withstanding such attacks.

Social engineering assessments help identify areas where employee awareness may be lacking. This both paves the way for targeted training and also helps highlight issues with operating procedures.